Overview

overview

10

Static

static

10

5d7a9507fb...d2.exe

windows7-x64

10

5d7a9507fb...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2025 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe

  • Size

    80KB

  • MD5

    adfd08079cc435a0f9fa6092b0359870

  • SHA1

    0ca4754b10ba0efedba325c441dcbdd4ac8f404e

  • SHA256

    5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2

  • SHA512

    ac0d573d5f16d5191d705c03f900f29d1100b2ca1836efc020c79e35aaf391ae3040fd43892bd50d81335951d30fe57a08be7e2d9065c0ee3e32f53b1c3cb974

  • SSDEEP

    1536:Ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzr:7dseIOMEZEyFjEOFqTiQmOl/5xPvwv

Score
10/10
neconyddiscoverytrojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

    trojanneconyd
  • Neconyd family
    neconyd
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7a9507fb288dc729534e02581e92e67a38f08aab84b038fcf62423180c8dd2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe
    Filesize

    80KB

    MD5

    692ca395d89625c8100071a3db65c7b3

    SHA1

    af728e91ed44d00e87ae64a703dc9c7061dc98ab

    SHA256

    8b373e65eadde04f9384a23ca1b73fe7e2cafde9f4d827c011737172fdb9e373

    SHA512

    ae49cc55ad75e4ff5dfb83d28021b6fa64caf0811f8867d0a154aa0db2ac108fdfdfe0052d2a0c4d946ab8171e94f3e8f28955b15ab4872948685c4e7cfc40b1

    Download Submit

  • C:\Windows\SysWOW64\omsecor.exe
    Filesize

    80KB

    MD5

    bd51ef6a64671b79a468f5feadad1943

    SHA1

    d03077990b2479568dfde1d022a9a4cee8229512

    SHA256

    4dee26274ef189cb4c1c17da31ec0dd406808bb22d45bca334386f63dcf139de

    SHA512

    67d10ecfb5fcf46997b0dfe5997f6f90ea535d5ad20a195f67ac708bccafec00a5b06457afede8c125b1edca4d11a86c2646805b2a4a57d3e7ce8d01c2c47b9b

    Download Submit